Mastering tcpdump: From Basics to Automated Capture and Business Architecture Mapping

Introduction

Operations engineers rely on tcpdump as a powerful packet‑capture tool; its flexible filter syntax enables extraction of key traffic from massive data streams.

1. tcpdump Basics

tcpdump captures the header of every network packet and supports filtering by host, port, protocol and logical operators.

Typical command patterns:

tcpdump -i eth1 -n -X src host 10.19.66.62

tcpdump -i eth1 -n -X src host 10.19.66.62 and dst port 80

tcpdump -i eth1 -n -X src host 10.19.66.62 and dst port 80 and tcp

Example output shows the eight‑line TCP three‑way handshake and four‑way termination, with fields such as src>dst, flags, seq, ack, window, urgent, options.

To capture packets with the PSH‑ACK flag ([P.]), use the expression tcp[13]=24. To capture HTTP GET requests, filter on the ASCII string tcp[20:4]=0x47455420.

2. Automated Capture Tool Implementation

The tool consists of a scheduler script run.sh and a worker script access.sh. The scheduler runs every 30 minutes via crontab, checks CPU load by sampling /proc/stat over a 5‑second interval, and only launches the worker when load is below a configurable threshold (e.g., 90%).

CPU load calculation:

cpu_used1 = user+nice+system+irq+softirq
cpu_total1 = user+nice+system+idle+iowait+irq+softirq
# sleep 5 seconds, then repeat
cpu_used2 = user+nice+system+irq+softirq
cpu_total2 = user+nice+system+idle+iowait+irq+softirq
load = (cpu_used2 - cpu_used1) / (cpu_total2 - cpu_total1) * 100%

After load validation, the script discovers network interfaces and IP addresses, enumerates listening TCP/UDP ports (excluding local bindings), and invokes tcpdump with appropriate filters (empty packets, inbound/outbound, specific ports, etc.). Captured data are formatted and reported to the network‑management system.

3. Business Architecture Tree from Access Relationships

Collected packet data are aggregated by IP into functional modules using CMDB information, then visualized as a tree where nodes represent modules and edges represent call relationships. Load indicators are shown as colored bars (green < 30 %, blue 30‑80 %, red > 80 %).

For TCP, the caller is the source‑IP module and the callee is the destination‑IP module; for UDP, clustering of service ports determines the callee.

The platform automatically builds the tree, applies layout algorithms, and renders a diagram that highlights abnormal call patterns such as loops or excessive hops.

Conclusion

The article walks from tcpdump fundamentals to automated large‑scale capture and topology construction, providing operations teams with a practical method to locate faults quickly and to leverage access‑relationship data for resource recycling, monitoring, and alert correlation.